RE: [squid-users] RE : [squid-users] SQUID3 + Reverse proxy + OWA : strange error

You don't need to use two different IPs, just two different ports. This is
not Squid's fault. From http://en.wikipedia.org/wiki/Virtual_hosting:

Because the SSL handshake takes place before the expected hostname is sent
to the server, the server doesn't know which encryption key to use when the
connection is made. One workaround is to run multiple web server programs,
each listening to a different incoming port, which still allows the system
to just use a single IP address. Another option is to do IP aliasing, where
a single computer listens on more than one IP address.

Chris

-----Original Message-----
From: LIMA David [mailto:DLIMA@fr.scc.com]
Sent: Wednesday, November 17, 2004 9:01 AM
To: squid-users@squid-cache.org
Subject: [squid-users] RE : [squid-users] SQUID3 + Reverse proxy + OWA:
strange error

Just for your information, my config is running smoothly,

Here are the keys for the config of squid:

acl webmail_domains dstdomain webmail.xxx.fr
acl www_domains dstdomain www.xxx.fr

http_access allow webmail_domains
http_access allow www_domains
http_access deny all
http_reply_access allow all

https_port 443 accel vhost cert=/certificats/server.pem
key=/certificats/key.pem cafile=/certificats/ca-cert defaultsite=www.xxx.fr

cache_peer 172.21.0.63 parent 80 0 no-query originserver login=PASS front-
end-https=auto proxy-only name=webmail

cache_peer_access webmail allow webmail_domains

cache_peer 172.21.0.66 parent 80 0 no-query originserver login=PASS
front-end-https=auto proxy-only name=www

cache_peer_access www allow www_domains

Did someone know if I can have two different ssl certs if I only have one
socket for squid ? If no, I have to setup 2 ip on my squid-box and rewrite
my nat rules.

_________________________________
 
David LIMA
Professional Services
www.scc.com
 
 

-----Message d'origine-----
De : LIMA David
Envoyé : lundi 15 novembre 2004 19:39
À : squid-users@squid-cache.org
Objet : [squid-users] SQUID3 + Reverse proxy + OWA: strange error

Hi all,

I'm trying to setup a squid3 to do reverse proxy for OWA running on Exchange
2000 but I can't success: (I have read all posts about OWA + squid but
unable to find a clue...)

Here is my setup

---------- -------------
----------------
- CLIENT - ==> :443 - SQUID3 - ==> :80 - OWA@exch2000 -
---------- -------------
----------------

When I go to http://webmail.xxx.fr/exchange/ it works, auth + browsing etc
...

When I go to https://webmail.xxx.fr/exchange the auth box comes (I use
basic auth on OWA), I put my login and password, then the 2 frames of the
OWA web site appear but they are blank. When I go to my log files (exchange)
I can't find the problem.

 Here is my setup for squid:
______________________________

http_port 3128
ssl_unclean_shutdown on
no_cache deny QUERY
acl all src 0.0.0.0/0.0.0.0
acl all-dst dst 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 80
acl Safe_ports port 80 # http
acl CONNECT method CONNECT
acl owa-exchange urlpath_regex \/exchange(\/|$)
acl owa-webid urlpath_regex \/WebID\/
acl owa-host dst 172.21.0.63/255.255.255.255
http_access allow owa-host owa-exchange
http_access allow owa-host owa-webid
http_reply_access allow all-dst
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all ==> !!!! for testing purpose only !!!!
http_access deny all
visible_hostname webmail.xxx.fr
https_port 443 cert=/certificats/server.pem key=/certificats/key.pem
cafile=/certificats/ca-cert defaultsite=webmail.xxx.fr
cache_peer webmail.xxx.fr parent 80 0 no-query originserver login=PASS
front-end-https=auto proxy-only

Here is a sample of my access.log during an unsuccess attempt
_____________________________

4 172.21.1.4 TCP_MISS/401 333 GET https://webmail.xxx.fr/exchange/ -
FIRST_UP_PARENT/webmail.xxx.fr text/html
19 172.21.1.4 TCP_MISS/200 1518 GET https://webmail.xxx.fr/exchange/ -
FIRST_UP_PARENT/webmail.xxx.fr text/html

==> When I run squid in console mode (squid -d1 -N), I see that an error
occur, but after googling and browsing the squid-archive-list I can't find
out why: "ClientNegotiateSSL: Error negotiating SSL connection on FD 16"

I have a second question: I want that squid serves https://www.xxx.fr on a
host, and https://www.xxx.fr/exchange/ or https://webmail.xxx.fr or
https://webmail.xxx.fr/exchange/ on a second host ==> it is possible to do
that with squid? And if yes, how ?

Any help would be greatly appreciated. Thanks a lot.

David LIMA
Professional Services
www.scc.com
 
 

----------------------------------------------------------------------------
--------------

Ce message contient des informations dont le contenu est susceptible d'être
confidentiel.
Il est destiné au(x) destinataire(s) indiqué(s) exclusivement.

A moins que vous ne fassiez partie de la liste des destinataires, ou que
vous soyez
habilité à recevoir le mail à leur place, il vous est interdit de le copier,
de l'utiliser
ou de dévoiler son contenu à un tiers.

Si vous avez reçu cet email par erreur, merci de prendre contact avec
l'émetteur.

Les opinions exprimées dans cet e-mail sont celles de l'émetteur et ne
reflètent pas
nécessairement celles de l'entreprise.

Ce e-mail peut contenir des pièces jointes dont certaines pourraient
contenir des virus
qui pourraient endommager votre système informatique.

La compagnie a pris toutes dispositions afin de minimiser ce risque et
décline toute
responsabilité pour toute perte ou dommage résultant directement ou
indirectement de
l'utilisation de cet email ou de son contenu.

Il vous appartient d'effectuer vos propres contrôles anti-virus avant
d'ouvrir
la ou les pièces jointes.
----------------------------------------------------------------------------
--------------

-
Received on Wed Nov 17 2004 - 11:11:49 MST